Henry,
My only concern with [2] is this set of requirements
> Such recipients SHOULD NOT override the specified type it there are
> known security risks and they SHOULD provide for users to disable such
> heuristic Content-Type detection.
as discussed before.
HTTPbis can introduce new requirements that break existing implementations only where there are overriding security and/or interoperability concerns.
While it could be argued that this holds true here, the first requirement is quite vague, and the second will AFAIK make every existing implementation non-conformant (with the possibility that they will remain so indefinitely).
Would the TAG be amenable to either dropping this sentence from the proposal, or modifying the text at [3] to address your concerns?
Regards,
On 09/06/2010, at 10:47 PM, Henry S. Thompson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Further to the TAG's suggestion in [1] regarding 'sniffing', and
> replies from Yves Lafon [2] and Mark Nottingham [3], the TAG has asked
> me to convey our thanks for your willingness to reopen this issue.
> With some minor adjustments, we are happy that the text proposed at [2]
> addresses most of our concerns.
>
> We suggest the following two minor changes:
>
> does not correctly identify the content sent
>
> -->
>
> does not reflect the intended interpretation of the content sent
>
> and
>
> Such recipients SHOULD NOT
>
> -->
>
> Recipients SHOULD NOT
>
> We would however prefer that something about this issue also remain in
> section 3.1.2. Perhaps keep
>
> If the Content-Type header field is present, a recipient which
> interprets the underlying data in a way inconsistent with the
> specified media type risks drawing incorrect conclusions.
>
> in 3.1.2, adding something along the lines of "See [7.3] for a related
> security issue.", but we are happy to leave this to your editorial
> discretion.
>
> We are less happy with the proposed addition suggested by Mark in [3],
> on the grounds that it a) implies that documents have media types in
> some intrinsic way, which we think is at best misleading, and that b)
> the straw men it sets up will in fact be counterproductive.
>
> ht, on behalf of the TAG
>
> [1] http://lists.w3.org/Archives/Public/public-html/2010Mar/0493.html
> [2] http://lists.w3.org/Archives/Public/public-html/2010Mar/0659.html
> [3] http://lists.w3.org/Archives/Public/public-html/2010May/0330.html
> [This message pertains to TAG ACTION-370]
> - --
> Henry S. Thompson, School of Informatics, University of Edinburgh
> 10 Crichton Street, Edinburgh EH8 9AB, SCOTLAND -- (44) 131 650-4440
> Fax: (44) 131 651-1426, e-mail: ht@inf.ed.ac.uk
> URL: http://www.ltg.ed.ac.uk/~ht/
> [mail from me _always_ has a .sig like this -- mail without it is forged spam]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
>
> iD8DBQFMD414kjnJixAXWBoRAr4EAJ9W4zFN1SywFjfMG8QQtXAiPPmaIwCfbAw2
> rZ/VkbMn24RAI2S6OoMUDWU=
> =dhkn
> -----END PGP SIGNATURE-----
--
Mark Nottingham http://www.mnot.net/